US20020184533A1 - System and method for providing network security policy enforcement - Google Patents

System and method for providing network security policy enforcement Download PDF

Info

Publication number
US20020184533A1
US20020184533A1 US10/159,316 US15931602A US2002184533A1 US 20020184533 A1 US20020184533 A1 US 20020184533A1 US 15931602 A US15931602 A US 15931602A US 2002184533 A1 US2002184533 A1 US 2002184533A1
Authority
US
United States
Prior art keywords
module
network
policy
netbios
scan
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US10/159,316
Inventor
Paul Fox
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to US10/159,316 priority Critical patent/US20020184533A1/en
Publication of US20020184533A1 publication Critical patent/US20020184533A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Definitions

  • the invention relates to a system and method for enforcing a network security policy. More particularly, the invention relates to a system and method for enforcing a network security policy by scanning computers connected to the network for current policy values and comparing the current policy values with predetermined policy values.
  • Computer network security is an important issue today. With the exponential growth of the Internet, the number of potential computer hackers to an organization has increased. The barrier of entry for a computer hacker to engage in informational warfare has become virtually non-existent. Computer hackers can range from a petty criminal to a hired, skilled hacker of an unfriendly organization. Computer hackers may desire goals from personal glorification to national/industrial espionage. Computer network attacks come in many forms such as web page defacement and confidential information theft/tampering.
  • Computer networks are generally in a state of flux.
  • Networked computer systems should have a computer policy.
  • the network policy should clearly define which systems are allowed to be connected to the network during various conditions.
  • the policy should identify the system's assigned tasks and be monitored for any deviations.
  • TCP/UDP Transmission Control Protocol/User Datagram Protocol
  • a fundamental rule is that a networked system should not run unneeded nor unused TCP/UDP daemons.
  • the policy should therefore identify an allowed list of TCP/UDP daemons a system may run. Defining and adhering to a security baseline is a strong factor for computer network security. Identifying a computer network's architecture and functionality at any given time is a key element to its protection. Once non-compliance is determined, corrective measures may be taken to rectify the non-compliance.
  • Network administrators may apply various computer network software products as deemed appropriate to meet network requirements. Network administrators may be hampered in this task due to time constraints and effective storage of data. Typically, network administrators may not electronically store the policy compliance status of a network for future reference by the network administrator or other network user.
  • Computer network security policies apply to both networked systems and network users.
  • the policy may state which computers are allowed to be connected to the network and which TCP/UDP services are allowed for each networked system.
  • the network should be monitored for policy deviations by comparing stored policy values to the current policy values of the network. All results may be stored in a central location and be discernible to a network user.
  • Network users should have the training and experience to independently make sound security decisions.
  • One method of informing users of potential dangers is via e-mail. This is somewhat ineffective because a network administrator generally has no effective way to determine if the recipients have read the policy and are in compliance.
  • a network user also should have a mechanism to inform the network administrator that the network user is in compliance.
  • a network user's policy compliance level should be stored in the event of an investigation regarding the network compliance of the network user.
  • the invention relates to a rack-mountable, self-contained computer network security device that actively monitors a computer network's policy-defined configuration baseline for deviations.
  • a network administrator may access the device via the Hypertext Transfer Protocol/Secure Sockets Layer (HTTP/SSL).
  • HTTP/SSL Hypertext Transfer Protocol/Secure Sockets Layer
  • Policy compliance may be determined by actively scanning the network and comparing scan results to the policy defined baseline. If the scan results and policy baseline values match, the network is deemed to be compliant. If the scan results and policy baseline values do not match, however, the network is deemed non-policy compliant. All results may be stored in a database.
  • the invention may provide a central location for network users to determine an organization's security policy and increase the network user's computer network security knowledge.
  • the invention may display the organization's computer network security policy.
  • Network users may be notified via e-mail of organizational policy amendments.
  • the e-mail message may include a Uniform Resource Locator (URL) to a web page that contains the policy amendments.
  • URL Uniform Resource Locator
  • FIG. 1A is a schematic block diagram of a method for scanning networked systems according to one embodiment of the invention.
  • FIG. 1B is a schematic block diagram of a method for scanning networked systems according to one embodiment of the invention.
  • FIG. 2 is a schematic block diagram of a method for scanning TCP/UDP ports according to one embodiment of the invention.
  • FIG. 3 is a schematic block diagram of a method for notifying network users of a network policy amendment according to one embodiment of the invention.
  • FIG. 4. is a schematic block diagram of a system for scanning networked systems according to one embodiment of the invention.
  • FIG. 5 is a schematic block diagram of a system for scanning TCP/UDP ports according to one embodiment of the invention.
  • FIG. 6 is a schematic block diagram of a method for notifying network users of a network policy amendment according to one embodiment of the invention.
  • FIG. 7 is a schematic block diagram of a method of determining whether a networked system complies with a network security policy according to one embodiment of the invention.
  • FIG. 8 is a schematic block diagram of a system for determining whether a networked system complies with a network security policy according to one embodiment of the invention.
  • the invention relates to a self-contained, rack mountable computer system that may be attached internally to an organization's Transmission Control Protocol/Internet Protocol (TCP/IP) computer network.
  • the system may be accessed from a network user's computer using, for example, a standard web browser.
  • Sensitive information may be encrypted between the system and the network user's web browser via the Secure Socket Layer (SSL). Access may be enabled on a password-based operational role.
  • the system may actively scan the network to determine which computers, terminals, workstations, etc. connected to the network and the TCP/UDP services the computers are operating at any given time. Scan results may be compared to a computer network policy defined network configuration stored within a system database. Any discrepancies may be flagged such that the network user may identify non-policy compliant computers.
  • the system may provide a central web-based location for organizations to post network security policy and promulgate policy amendments to network users.
  • the system may be a TCP/IP networked computer system contained in a 18′′ ⁇ 12′′ ⁇ 2′′ metal chassis.
  • System programs may be stored on a hard disk of, for example, 10 GB (or greater).
  • the computer system preferably includes an operating system that supports the TCP/IP.
  • the computer system may be accessed via a hypertext transfer protocol (HTTP) compliant web server.
  • HTTP hypertext transfer protocol
  • the computer system functions preferably are compiled C programs that are stored in the web server's Common Gateway Interface (CGI) directories. Operating system access may be provided through thy systems monitor and keyboard interface and/or 10/100BaseT Ethernet interface (e.g., Telnet and/or SSH protocols).
  • the computer system may use a list of IP addresses stored within a database to determine which computers to monitor.
  • the network user may add, remove, and edit the list of IP addresses stored within the database.
  • the computer system may not scan computers not provided with the list of IP addresses.
  • Each IP address may be assigned system identifying attributes. These attributes may be dedicated by the network policy and may include: Domain Name Service (DNS) fully qualified domain name, netbios hostname, netbios user name, operating system, Media Access Control (MAC) address, machine type template, mission critical status, physical location, point of contact phone/e-mail address, and text description.
  • DNS Domain Name Service
  • MAC Media Access Control
  • machine type template may be an array of TCP and UDP ports that are allowed to be active on a system.
  • the computer system may determine a networked computer's policy compliance using Network Discovery and TCP/UDP port scans. These scans may be initiated by a network user or scheduled to execute at predetermined times.
  • FIGS. 1A and 1B illustrate a method of scanning networked systems using the Network Discovery scan according to one embodiment of the invention.
  • the Network Discovery scan may be a compiled C program located within the web server's CGI directory.
  • the Network Discovery scan may scan the database for multiple IP addresses, subset IP addresses or a single IP address.
  • the Network Discovery scan may use a network environment (e.g., HTML PUT, GET and command line) variables as arguments, step 102 .
  • the Network Discovery scan may determine if the input is valid, step 104 . If the input is invalid, an error may be returned and the program may be exited, step 106 .
  • the Network Discovery scan may then create a linked list of information structures for each IP address, step 108 .
  • Each structure may contain fields for the policy defined and scan discovered values of each IP address' MAC address, DNS hostname, netbios hostname, user name, ICMP response, TCP ping response, and operating system type.
  • the Network Discovery scan may insert the database stored policy defined values into each IP address' appropriate fields, step 110 .
  • the Network Discovery scan may traverse the linked list and determine DNS defined hostnames registered to the IP addresses. This may be achieved by using the gethostbyaddr C function to query the network's domain name server, step 112 . A fully-qualified domain name may be removed from the response and stored in the DNS hostname structure member.
  • An Internet Control Message Protocol (ICMP) echo request may be sent to each IP address within the linked list, step 114 .
  • the ICMP echo request may include packets that are sent out in a configurable burst rate.
  • the values of the burst rate may be stored within the database and may be configurable to adjust to various networking environments.
  • the packets may contain values for the number of packets to send in succession, retry attempts, and the time-out values in waiting for a response. These values may be configured via the computer system's network user's menu.
  • the ICMP packets may be created via a RAW socket interface and have a padded payload to give the packet a size of 1024 bytes. Better throughput performance may be achieved using packets of this size.
  • the ICMP packet's payload may be filled with, for example, the character string “NETFOX NETFOX NETFOX . . . . ” This may inform network monitoring devices that the ICMP packet originated from a NETFOX device.
  • a TCP ping may also be sent to determine if a network host is active.
  • a TCP ping may be useful because a computer hacker may disable a computer's ability to respond to an ICMP echo request that may be detected.
  • the computer system may send a TCP ping request to a TCP port 113 (authentication) and a second TCP ping request to a TCP port the user specifies, step 116 .
  • the computer system may traverse the linked list and send a TCP synchronization request to each IP address' authentication port and user specified TCP port, step 118 .
  • the host is active if a connection is created, step 120 , or an error from the host is returned (e.g., ECONNREFUSESD error message), step 106 .
  • the computer system may send netbios name service query request packets to the IP addresses within the linked list that responded to an ICMP request, TCP ping request or both, step 124 .
  • the netbios name service may run on a UDP port 137 .
  • a determination may be made regarding whether the queried system has transmitted a response, step 126 . If the queried system transmits a response packet, the netbios hostname may be extracted, step 128 .
  • the name of a currently logged-on user and MAC address of the network interface card may be determined from the response packet, step 130 .
  • the IP address netbios_flag within the linked list of the responding system may be set, step 132 .
  • the computer system may determine a networked system's operating system based upon the unix_flag and netbios_flag, step 134 .
  • the computer system may make an educated guess as to the type of operating system for each active IP address. The educated guess may be based on whether a system is running the authentication service. If the system is running the authentication service, the system may be considered to be a UNIX based system. If the system is not running the authentication service, the system may be considered to be a Microsoft based system if the netbios name service protocol is running. Otherwise, the operating system may be indeterminate.
  • the scan results may be imported to a database located on, for example, a hard disk and presented to the network user using web browser, step 136 .
  • Stored in the database along with the scan results may be scan information.
  • Scan information may include when the scan started, completed, range of IP addresses scanned, and the network user's name who requested the scan.
  • the results may be parsed into three different tables.
  • the networked systems that responded to the ICMP echo requests may be considered to be an up known host.
  • the up known hosts may then be presented to a network user in an up known hosts table that identifies the IP address for each up known host, step 138 .
  • Displayed next to each IP address may be a networked system's associated policy defined DNS hostname, netbios hostname, netbios username, operating system and MAC address.
  • the scan discovered values may be presented adjacent the policy definitions. Any dissimilar values may be displayed in red.
  • Another table may be titled “stowaway.”
  • the “stowaway” table may be presented to a network user, step 140 .
  • the “stowaway” table may display the IP addresses that did not respond to ICMP echo requests but did respond to TCP ping requests.
  • the policy defined values and the scan results may be displayed with the IP address.
  • a third table may be titled down known hosts.
  • the down known hosts table may be presented to a network user, step 142 . Every networked system corresponding to an IP address listed in a table that did not respond to an ICMP echo request or TCP ping may be displayed in this table along with the associated policy defined system attributes.
  • FIG. 2 illustrates a TCP/UDP port scanning method according to one embodiment of the invention.
  • the TCP/UDP port scan may be a compiled C program located within the web server's CGI directory.
  • the computer system may allow a network user to scan the complete IP address range, a subset of the IP address range or single IP address stored within a database.
  • the scan's TCP/UDP port query range may be refined to include privileged ports ( 1 - 1023 ), the complete range of TCP/UDP ports ( 1 - 65355 ) or a users defined array of ports.
  • the TCP/UDP port scan may use a network user's input environment (e.g. HTML PUT, GET and command line) variables as arguments, step 202 .
  • a determination may be made regarding whether the user input is valid, step 204 . If the input is invalid, an error may be returned and the program may be exited, step 206 .
  • the TCP/UDP port scan may create a linked list from the IP address range specified, step 208 . Policy information may then be extracted from the database, step 210 . An ICMP echo request may then be transmitted to a system corresponding to that IP address to determine if the IP address is active, step 212 . A determination may be made regarding whether the system has responded to the ICMP request, step 214 . If the system fails to respond to the ICMP echo request, a TCP ping may be sent to the system, step 216 . A determination may then be made regarding whether the system has responded to either or both the ICMP request or the TCP ping, step 218 .
  • the system may be scanned. Systems that do not respond to either request may not be scanned. Based on a the determination of step 218 , the systems to be scanned may be set, step 220 .
  • the TCP/UDP port scan may commence TCP port scanning for ports specified by the network user, step 222 .
  • the TCP/UDP port scan may use the RFC defined protocol for TCP communication establishment and termination.
  • the TCP/UDP may attempt a TCP connection to every TCP port requested by the network user with every active system. Based upon the response from the scanned system, the query port may be deemed active or inactive. If the networked system's TCP service responds to the synchronization request with an ASCII text banner, the computer system copies the ASCII text banner into the database. If a system corresponding to an IP address fails to respond to multiple TCP synchronization attempts, the system may be considered inactive. This may occur when a system is running a personal firewall or other security software that modifies a system's network behavior. Scanning of the system may be stopped and the program may continue the scanning process with the next active IP address in the linked list.
  • the TCP/UDP port scan may return to the beginning of the linked list to UDP port scan active systems, step 224 .
  • the TCP/UDP port scan may send a UDP packet to every query port of every active system.
  • the UDP packet's payload may contain the character string “NETFOX NETFOX NETFOX . . . ” to elicit a response from the queried port.
  • a UDP packet may be transmitted to each port of each scanned system, step 226 .
  • a determination may be made regarding which, if any, of the scanned systems have responded to the UDP packet, step 228 .
  • the TCP/UDP port scan may terminate scanning a system if the number of UDP requests not responded to reaches a predefined limit. UDP ports that responded to UDP queries may be stored within the scan results. The TCP/UDP port scan may continue scanning with the next active IP address in the linked list, step 230 .
  • results may be imported into the database, step 232 , and output to the network user's web browser, step 234 .
  • Stored in the database along with the scan results may be information concerning the completed scan. This information may include when the scan started, completed, range of IP addresses scanned, TCP/UDP ports queried, and the network user's name who requested the scan.
  • the results may be parsed into two different tables. Systems that were scanned may be displayed in an up hosts table. Displayed along with every scanned system's IP address may be the scanned system's allowed TCP/UDP ports compared to scan discovered TCP/UDP ports.
  • Scan found active TCP/UDP ports that do not match a system's allowed list of TCP/UDP may be displayed in red. Policy allowed TCP/UDP ports may be displayed in blue. This aids the network user in quickly determining policy compliance. Every port number may be linked to another web page that contains port specific information. The port's ASCII text banner and timestamp are displayed when applicable.
  • the computer system may allow the network users to view the previous results of network scans.
  • the database may be searched to find all scan results based upon type of scan (Network Discovery or TCP/UDP Port scan), time, IP address range scanned, IP address, username, DNS name, netbios hostname, netbios username, MAC address, TCP/UDP port number, or other criteria.
  • the results may be presented as a list of completed scan times and dates which may be hyper-text linked to actual scan results. Scan results may display the time the scan was executed, the network user who initiated the scan, type of scan, and the time required for the scan to complete.
  • the computer system network user may create a policy revision to reflect a change in policy as shown in FIG. 3.
  • the network user may formulate a new policy amendment, step 302 .
  • the network user may send, for example, an e-mail notification to the policy's intended recipients, step 304 . If an e-mail notification is not sent, the policy may be stored in a modifiable form, step 306 . If an e-mail notification is to be sent, the network user may select one or more intended recipients, step 308 .
  • a list of recipient's e-mail addresses may be stored within the computer system database.
  • the computer system may create a Simple Mail Transfer Protocol (SMTP) based e-mail message.
  • SMTP Simple Mail Transfer Protocol
  • the SMTP e-mail message may be sent to every selected recipient, step 310 .
  • Contained in the e-mail message may be a URL that retrieves the newly created policy amendment from the computer system.
  • the completed policy revision may be stored within the database.
  • the network user may be unable to modify any policy amendment that has been sent via e-mail. If the network user does not send an e-mail message, the policy may be stored within the database for subsequent modification or deletion.
  • An e-mail recipient may receive an e-mail message from the computer system containing a URL for the computer system, step 312 .
  • the recipient may click on the URL, step 314 , and a web browser window may open containing the revised policy, step 316 .
  • the recipient may supply their name within a text field, step 318 , and select an acknowledge button, step 320 .
  • the computer system may then determine the IP address for the computer being used by the recipient, computer DNS, netbios name, current user, MAC address and date, step 322 .
  • the results may then be stored in the database, step 324 .
  • the computer system may not acknowledge a network user's policy compliance unless the user's name is entered in the provided text field. Once the network user has acknowledged the policy amendment, a confirmation may be returned to the network user, step 326 .
  • Every policy that has been sent may have a View Compliance link.
  • the network user may select this link to determine which network users have read and complied with the policy amendment. If the IP address of the complying user's system is within the computer system database, the network user may view the contact information for the system. This allows the network user to quickly determine a network user's level of policy compliance.
  • FIG. 7 illustrates an overall method of determining whether a networked system complies with a network security policy according to one embodiment of the invention.
  • a system for determining whether the system is in compliance may be identified, step 12 .
  • the system may then be scanned, step 14 .
  • the system may be scanned for current network and/or system information such as, for example, netbios hostname, operating system, netbios username, IP address, etc.
  • the current network and/or system information may be compared to network and/or system information stored for the system, step 16 . Based on the comparison of current information and stored information, a determination may be made regarding whether the system complies with the network security policy, step 18 .
  • FIG. 8 illustrates a system 20 for determining whether a networked system complies with a network security policy according to one embodiment of the invention.
  • the system 20 may include a system identifying module 22 that identifies one or more systems to determine whether the one or more systems comply with a network security policy.
  • a system scanning module 24 may be used to scan the systems identified by system identifying module 22 for current network and/or system information such as, for example, netbios hostname, operating system, netbios username, IP address, etc.
  • the current network and/or system information may be compared to network and/or system information stored for the system using, for example, policy value comparing module 26 . Based on the comparison of current information and stored information, a determination may be made regarding whether the system complies with the network security policy using, for example, policy compliance determining module 28 .
  • FIG. 4 illustrates a system 400 for scanning networked systems using a network discovery scan according one embodiment of the invention.
  • the system 400 may include an input receiving module 402 .
  • the input receiving module 402 may enable a network user to input network environment variables (e.g., HTML PUT, GET, and command line) as arguments.
  • An input validity determining module 404 may determine whether the network user input is valid. If a determination is made that the network user input is invalid, an error reporting and exiting module 406 may be used to present an error message to the network user indicating that the network user input is invalid and may also exit the computer system. If, however, the network user input is valid, the system 400 may create a link list of information structures for each IP address using linked lists creating module 408 . The system 400 may then insert the data based stored policy defined values into each IP addresses appropriate fields using policy value importing module 410 .
  • network environment variables e.g., HTML PUT, GET, and command line
  • the system 400 may then use the link list to determine DNS defined hosts names registered to the IP addresses using DNS gethostbyaddr calling module 412 .
  • An internet control message protocol (ICMP) echo requests may be transmitted to each IP address in the linked list using ICMP echo request transmitting module 414 .
  • a TCP ping transmitting module 416 may be used to transmit a TCP ping to the networked systems.
  • a TCP ping may be used in the event that a networked systems ability to respond to an ICMP echo request has been disabled.
  • a TCP synchronization request may then be transmitted using TCP synchronization requesting module 418 .
  • a connection determining module 420 may be used to determine whether a connection to the network system has been made. If a connection has been made, the UNIX_flag member for the computer system may be set using UNIX_flag member setting module 422 .
  • the system 400 may then transmit a netbios name request using net bio theme transmitting module 424 .
  • Netbios name response turning module 426 may then be used to determine whether a response has been transmitted for the netbios name request. If a netbios name response has been transmitted, the netbios host name may be extracted using netbios host name extracting module 428 .
  • a user name and MAC address for the netbios response transmitting system may be determined using user name and MAC address determining module 430 .
  • the netbios_flag for the responding system may then be set using netbios_flag setting module 432 .
  • the system 400 may then determine the operating system for the responding system using operating systems determining module 434 .
  • the system 400 may base a determination on whether a responding system is running and authentication service. If the system is running an authentication service, the responding system may be considered to be a UNIX based system. If the system is not running an authentication service, the system may be considered to be a Microsoft based system if a netbios named service protocol is running.
  • the result of the scan may be imported to a database using results importing module 436 .
  • up known hosts may be displayed using up known host displaying module 438 .
  • Stowaways may be displayed using stowaway displaying module 440 .
  • Down known hosts may be displayed using down hosts displaying module 442 .
  • FIG. 5 illustrates a system 500 for TCP/UDP port scanning according to one embodiment of the invention.
  • System 500 may include an input receiving module 502 that enables a user to provide input.
  • Input validity determining module 504 may be used to determine whether the input is valid. If a determination is made that the input is invalid, an error report may be generated and the system exited using error reporting and exiting module 506 . If the input is valid, however, a linked list of IP addresses may be created using linked lists creating module 508 . Policy values for which each of the systems corresponding to the IP addresses must be adhered to may be imported using policy value importing module 510 .
  • An ICMP request may then be transmitted to each system corresponding to the IP addresses in the linked list using ICMP request transmitting module 512 .
  • An ICMP request response determining module 514 can then be used to determine whether any of the systems have responded to the ICMP request.
  • Any TCP ping transmitting module 516 may be used to transmit a TCP ping to one or more of the systems corresponding to the IP addresses in the linked lists.
  • a TCP ping response determining module 518 may be used to determine whether a response has been received for one or more of the TCP pings transmitted.
  • the systems to be scanned may be set using systems to be scanned setting module 520 .
  • TCP scanning may then commence using TCP scanning module 522 .
  • the system 500 may return to the linked list using link list returning module 524 .
  • a UDP packet may then be transmitted to each port of a scanned system using UDP packet transmitting module 526 .
  • a determination may be made regarding whether one or more of the scanned systems have responded to the UDP packet using UDP packet response determining module 528 . Based on a determination made by UDP packet response determining module UDP scanning may be commenced for those systems that transmitted a response using UDP scanning module 530 .
  • the scan results may be imported using scan results importing module 532 .
  • the scanning results may then be output and presented to a network user using scanned results outputting module 534 .
  • FIG. 6 illustrates a system 600 for notifying a network user of a policy amendment according to one embodiment of the invention.
  • the system 600 may include a policy amendment creating module 602 that enables a network user to create an amendment to a network security policy.
  • the network user may request that an electronic mail message be created to define other network users of the policy amendment.
  • the e-mail message request may be made using e-mail message requesting module 604 . If a user does not request an e-mail message to be created, the policy including the policy amendment may be stored using policy storing module 606 .
  • the network user may select one or more recipients to whom the e-mail message should be sent using recipient selecting module 608 .
  • the e-mail message may then be sent to the recipients using message sending module 610 .
  • the recipients may then receive the message using message receiving module 612 .
  • the e-mail message may include a uniform resource locator (URL) that may be a hypertext link that may present the policy amendment to the network user.
  • the network user may select the URL using URL selecting module 614 . If the network user selects the URL, the policy amendment may be presented to the user using policy presenting module 616 .
  • the policy may be presented in a window of a browser.
  • Policy presenting module 616 may present a network user with fields in which the network user may provide a user name. The user name input by the network user may be received using user name receiving module 618 . An acknowledge button may also be presented to the user using policy presenting module 616 . Such that after the network user reads the policy, the network user may select the acknowledge button using acknowledge button selecting module 620 to acknowledge that the network user has read the policy.
  • System 600 may then identify a type of system that is in use by network user using system identifying module 622 . The information may include, for example, operating system, network connection, etc. This information may be stored in a database using information storing module 624 . A policy confirmation may then be transmitted to the network user using policy confirmation transmitting module 626 .

Abstract

A rack-mountable, self-contained computer network security device that actively monitors a computer network's policy-defined configuration baseline for deviations. The device compares system identifying attributes and active TCP/UDP daemons to a policy baseline to determine policy compliance. Computer system events may be stored within a database.

Description

    RELATED APPLICATIONS
  • The application claims priority of U.S. provisional application Serial No. 60/294,312 filed May 30, 2001, which is incorporated by reference in its entirety.[0001]
    • FIELD OF THE INVENTION
  • The invention relates to a system and method for enforcing a network security policy. More particularly, the invention relates to a system and method for enforcing a network security policy by scanning computers connected to the network for current policy values and comparing the current policy values with predetermined policy values. [0002]
    • BACKGROUND OF INVENTION
  • Computer network security is an important issue today. With the exponential growth of the Internet, the number of potential computer hackers to an organization has increased. The barrier of entry for a computer hacker to engage in informational warfare has become virtually non-existent. Computer hackers can range from a petty criminal to a hired, skilled hacker of an unfriendly organization. Computer hackers may desire goals from personal glorification to national/industrial espionage. Computer network attacks come in many forms such as web page defacement and confidential information theft/tampering. [0003]
  • One issue facing computer network security is the lack of a computer network policy. Organizations should define a computer network policy that provides a framework for the computer networks physical design and a guideline for computer network users. Computer networks are generally in a state of flux. Networked computer systems should have a computer policy. The network policy should clearly define which systems are allowed to be connected to the network during various conditions. The policy should identify the system's assigned tasks and be monitored for any deviations. In May of 2000, the SANS Institute published its “Top Ten Security Threats.” Nine of the ten threats pertained to Transmission Control Protocol/User Datagram Protocol (TCP/UDP) daemons. A fundamental rule is that a networked system should not run unneeded nor unused TCP/UDP daemons. The policy should therefore identify an allowed list of TCP/UDP daemons a system may run. Defining and adhering to a security baseline is a strong factor for computer network security. Identifying a computer network's architecture and functionality at any given time is a key element to its protection. Once non-compliance is determined, corrective measures may be taken to rectify the non-compliance. [0004]
  • Network administrators may apply various computer network software products as deemed appropriate to meet network requirements. Network administrators may be hampered in this task due to time constraints and effective storage of data. Typically, network administrators may not electronically store the policy compliance status of a network for future reference by the network administrator or other network user. [0005]
  • Computer network security policies apply to both networked systems and network users. The policy may state which computers are allowed to be connected to the network and which TCP/UDP services are allowed for each networked system. The network should be monitored for policy deviations by comparing stored policy values to the current policy values of the network. All results may be stored in a central location and be discernible to a network user. [0006]
  • One major problem facing computer network security is computer viruses. Many viruses are disseminated in electronic form as an electronic mail (e-mail) attachment which typically requires human intervention to execute. One virus known as the “ILUVYOU” virus has been estimated to have caused damages in excess of $6 billion worldwide. This figure may have been reduced if organizations were able to better educate their network users regarding network security. [0007]
  • Keeping abreast of network security issues may be difficult due to the constant discovery of new vulnerabilities. Network users should have the training and experience to independently make sound security decisions. One method of informing users of potential dangers is via e-mail. This is somewhat ineffective because a network administrator generally has no effective way to determine if the recipients have read the policy and are in compliance. A network user also should have a mechanism to inform the network administrator that the network user is in compliance. A network user's policy compliance level should be stored in the event of an investigation regarding the network compliance of the network user. [0008]
  • These and other drawbacks exist. [0009]
    • SUMMARY OF THE INVENTION
  • The invention relates to a rack-mountable, self-contained computer network security device that actively monitors a computer network's policy-defined configuration baseline for deviations. A network administrator may access the device via the Hypertext Transfer Protocol/Secure Sockets Layer (HTTP/SSL). Policy compliance may be determined by actively scanning the network and comparing scan results to the policy defined baseline. If the scan results and policy baseline values match, the network is deemed to be compliant. If the scan results and policy baseline values do not match, however, the network is deemed non-policy compliant. All results may be stored in a database. [0010]
  • The invention may provide a central location for network users to determine an organization's security policy and increase the network user's computer network security knowledge. The invention may display the organization's computer network security policy. Network users may be notified via e-mail of organizational policy amendments. The e-mail message may include a Uniform Resource Locator (URL) to a web page that contains the policy amendments. Once a network user has read and acknowledged the policy amendment, the invention may store the network user's information.[0011]
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1A is a schematic block diagram of a method for scanning networked systems according to one embodiment of the invention. [0012]
  • FIG. 1B is a schematic block diagram of a method for scanning networked systems according to one embodiment of the invention. [0013]
  • FIG. 2 is a schematic block diagram of a method for scanning TCP/UDP ports according to one embodiment of the invention. [0014]
  • FIG. 3 is a schematic block diagram of a method for notifying network users of a network policy amendment according to one embodiment of the invention. [0015]
  • FIG. 4. is a schematic block diagram of a system for scanning networked systems according to one embodiment of the invention. [0016]
  • FIG. 5 is a schematic block diagram of a system for scanning TCP/UDP ports according to one embodiment of the invention. [0017]
  • FIG. 6 is a schematic block diagram of a method for notifying network users of a network policy amendment according to one embodiment of the invention. [0018]
  • FIG. 7 is a schematic block diagram of a method of determining whether a networked system complies with a network security policy according to one embodiment of the invention. [0019]
  • FIG. 8 is a schematic block diagram of a system for determining whether a networked system complies with a network security policy according to one embodiment of the invention.[0020]
    • DETAILED DESCRIPTION OF THE INVENTION
  • The invention relates to a self-contained, rack mountable computer system that may be attached internally to an organization's Transmission Control Protocol/Internet Protocol (TCP/IP) computer network. The system may be accessed from a network user's computer using, for example, a standard web browser. Sensitive information may be encrypted between the system and the network user's web browser via the Secure Socket Layer (SSL). Access may be enabled on a password-based operational role. The system may actively scan the network to determine which computers, terminals, workstations, etc. connected to the network and the TCP/UDP services the computers are operating at any given time. Scan results may be compared to a computer network policy defined network configuration stored within a system database. Any discrepancies may be flagged such that the network user may identify non-policy compliant computers. The system may provide a central web-based location for organizations to post network security policy and promulgate policy amendments to network users. [0021]
  • The system may be a TCP/IP networked computer system contained in a 18″×12″×2″ metal chassis. System programs may be stored on a hard disk of, for example, 10 GB (or greater). The computer system preferably includes an operating system that supports the TCP/IP. The computer system may be accessed via a hypertext transfer protocol (HTTP) compliant web server. The computer system functions preferably are compiled C programs that are stored in the web server's Common Gateway Interface (CGI) directories. Operating system access may be provided through thy systems monitor and keyboard interface and/or 10/100BaseT Ethernet interface (e.g., Telnet and/or SSH protocols). [0022]
  • The computer system may use a list of IP addresses stored within a database to determine which computers to monitor. The network user may add, remove, and edit the list of IP addresses stored within the database. The computer system may not scan computers not provided with the list of IP addresses. Each IP address may be assigned system identifying attributes. These attributes may be dedicated by the network policy and may include: Domain Name Service (DNS) fully qualified domain name, netbios hostname, netbios user name, operating system, Media Access Control (MAC) address, machine type template, mission critical status, physical location, point of contact phone/e-mail address, and text description. A machine type template may be an array of TCP and UDP ports that are allowed to be active on a system. [0023]
  • The computer system may determine a networked computer's policy compliance using Network Discovery and TCP/UDP port scans. These scans may be initiated by a network user or scheduled to execute at predetermined times. [0024]
  • FIGS. 1A and 1B illustrate a method of scanning networked systems using the Network Discovery scan according to one embodiment of the invention. The Network Discovery scan may be a compiled C program located within the web server's CGI directory. The Network Discovery scan may scan the database for multiple IP addresses, subset IP addresses or a single IP address. The Network Discovery scan may use a network environment (e.g., HTML PUT, GET and command line) variables as arguments, [0025] step 102. The Network Discovery scan may determine if the input is valid, step 104. If the input is invalid, an error may be returned and the program may be exited, step 106. If, however, the input is valid, the Network Discovery scan may then create a linked list of information structures for each IP address, step 108. Each structure may contain fields for the policy defined and scan discovered values of each IP address' MAC address, DNS hostname, netbios hostname, user name, ICMP response, TCP ping response, and operating system type. The Network Discovery scan may insert the database stored policy defined values into each IP address' appropriate fields, step 110.
  • The Network Discovery scan may traverse the linked list and determine DNS defined hostnames registered to the IP addresses. This may be achieved by using the gethostbyaddr C function to query the network's domain name server, [0026] step 112. A fully-qualified domain name may be removed from the response and stored in the DNS hostname structure member.
  • An Internet Control Message Protocol (ICMP) echo request may be sent to each IP address within the linked list, [0027] step 114. The ICMP echo request may include packets that are sent out in a configurable burst rate. The values of the burst rate may be stored within the database and may be configurable to adjust to various networking environments. The packets may contain values for the number of packets to send in succession, retry attempts, and the time-out values in waiting for a response. These values may be configured via the computer system's network user's menu. The ICMP packets may be created via a RAW socket interface and have a padded payload to give the packet a size of 1024 bytes. Better throughput performance may be achieved using packets of this size. The ICMP packet's payload may be filled with, for example, the character string “NETFOX NETFOX NETFOX . . . . ” This may inform network monitoring devices that the ICMP packet originated from a NETFOX device.
  • A TCP ping may also be sent to determine if a network host is active. A TCP ping may be useful because a computer hacker may disable a computer's ability to respond to an ICMP echo request that may be detected. To identify the possibility of this occurrence, the computer system may send a TCP ping request to a TCP port [0028] 113 (authentication) and a second TCP ping request to a TCP port the user specifies, step 116. The computer system may traverse the linked list and send a TCP synchronization request to each IP address' authentication port and user specified TCP port, step 118. The host is active if a connection is created, step 120, or an error from the host is returned (e.g., ECONNREFUSESD error message), step 106. The method of ICMP=false and TCP=true may be used to determine potential “stowaways” on the monitored computer network. If a connection is established with the authentication port, a unix_flag member of the structure may be set, step 122. This may be used to determine the operating system of the networked computer.
  • The computer system may send netbios name service query request packets to the IP addresses within the linked list that responded to an ICMP request, TCP ping request or both, [0029] step 124. The netbios name service may run on a UDP port 137. A determination may be made regarding whether the queried system has transmitted a response, step 126. If the queried system transmits a response packet, the netbios hostname may be extracted, step 128. The name of a currently logged-on user and MAC address of the network interface card may be determined from the response packet, step 130. The IP address netbios_flag within the linked list of the responding system may be set, step 132.
  • The computer system may determine a networked system's operating system based upon the unix_flag and netbios_flag, [0030] step 134. The computer system may make an educated guess as to the type of operating system for each active IP address. The educated guess may be based on whether a system is running the authentication service. If the system is running the authentication service, the system may be considered to be a UNIX based system. If the system is not running the authentication service, the system may be considered to be a Microsoft based system if the netbios name service protocol is running. Otherwise, the operating system may be indeterminate.
  • Upon scan completion, the scan results may be imported to a database located on, for example, a hard disk and presented to the network user using web browser, [0031] step 136. Stored in the database along with the scan results may be scan information. Scan information may include when the scan started, completed, range of IP addresses scanned, and the network user's name who requested the scan. The results may be parsed into three different tables. The networked systems that responded to the ICMP echo requests may be considered to be an up known host. The up known hosts may then be presented to a network user in an up known hosts table that identifies the IP address for each up known host, step 138. Displayed next to each IP address may be a networked system's associated policy defined DNS hostname, netbios hostname, netbios username, operating system and MAC address. The scan discovered values may be presented adjacent the policy definitions. Any dissimilar values may be displayed in red. Another table may be titled “stowaway.” The “stowaway” table may be presented to a network user, step 140. The “stowaway” table may display the IP addresses that did not respond to ICMP echo requests but did respond to TCP ping requests. The policy defined values and the scan results may be displayed with the IP address. A third table may be titled down known hosts. The down known hosts table may be presented to a network user, step 142. Every networked system corresponding to an IP address listed in a table that did not respond to an ICMP echo request or TCP ping may be displayed in this table along with the associated policy defined system attributes.
  • FIG. 2 illustrates a TCP/UDP port scanning method according to one embodiment of the invention. The TCP/UDP port scan may be a compiled C program located within the web server's CGI directory. The computer system may allow a network user to scan the complete IP address range, a subset of the IP address range or single IP address stored within a database. The scan's TCP/UDP port query range may be refined to include privileged ports ([0032] 1-1023), the complete range of TCP/UDP ports (1-65355) or a users defined array of ports. The TCP/UDP port scan may use a network user's input environment (e.g. HTML PUT, GET and command line) variables as arguments, step 202. A determination may be made regarding whether the user input is valid, step 204. If the input is invalid, an error may be returned and the program may be exited, step 206.
  • The TCP/UDP port scan may create a linked list from the IP address range specified, [0033] step 208. Policy information may then be extracted from the database, step 210. An ICMP echo request may then be transmitted to a system corresponding to that IP address to determine if the IP address is active, step 212. A determination may be made regarding whether the system has responded to the ICMP request, step 214. If the system fails to respond to the ICMP echo request, a TCP ping may be sent to the system, step 216. A determination may then be made regarding whether the system has responded to either or both the ICMP request or the TCP ping, step 218. If the system responds to either the ICMP echo request or the TCP ping, the system may be scanned. Systems that do not respond to either request may not be scanned. Based on a the determination of step 218, the systems to be scanned may be set, step 220.
  • The TCP/UDP port scan may commence TCP port scanning for ports specified by the network user, [0034] step 222. The TCP/UDP port scan may use the RFC defined protocol for TCP communication establishment and termination. The TCP/UDP may attempt a TCP connection to every TCP port requested by the network user with every active system. Based upon the response from the scanned system, the query port may be deemed active or inactive. If the networked system's TCP service responds to the synchronization request with an ASCII text banner, the computer system copies the ASCII text banner into the database. If a system corresponding to an IP address fails to respond to multiple TCP synchronization attempts, the system may be considered inactive. This may occur when a system is running a personal firewall or other security software that modifies a system's network behavior. Scanning of the system may be stopped and the program may continue the scanning process with the next active IP address in the linked list.
  • When every active system has been TCP scanned, the TCP/UDP port scan may return to the beginning of the linked list to UDP port scan active systems, [0035] step 224. The TCP/UDP port scan may send a UDP packet to every query port of every active system. The UDP packet's payload may contain the character string “NETFOX NETFOX NETFOX . . . ” to elicit a response from the queried port. A UDP packet may be transmitted to each port of each scanned system, step 226. A determination may be made regarding which, if any, of the scanned systems have responded to the UDP packet, step 228. If the networked system's UDP service responds to the synchronization request with an ASCII text banner, the computer system copies the ASCII text banner into the database. The TCP/UDP port scan may terminate scanning a system if the number of UDP requests not responded to reaches a predefined limit. UDP ports that responded to UDP queries may be stored within the scan results. The TCP/UDP port scan may continue scanning with the next active IP address in the linked list, step 230.
  • When the UDP scan completes scanning active hosts from the linked list, all results may be imported into the database, [0036] step 232, and output to the network user's web browser, step 234. Stored in the database along with the scan results may be information concerning the completed scan. This information may include when the scan started, completed, range of IP addresses scanned, TCP/UDP ports queried, and the network user's name who requested the scan. The results may be parsed into two different tables. Systems that were scanned may be displayed in an up hosts table. Displayed along with every scanned system's IP address may be the scanned system's allowed TCP/UDP ports compared to scan discovered TCP/UDP ports. Scan found active TCP/UDP ports that do not match a system's allowed list of TCP/UDP (for example, defined by machine type template) may be displayed in red. Policy allowed TCP/UDP ports may be displayed in blue. This aids the network user in quickly determining policy compliance. Every port number may be linked to another web page that contains port specific information. The port's ASCII text banner and timestamp are displayed when applicable.
  • The computer system may allow the network users to view the previous results of network scans. The database may be searched to find all scan results based upon type of scan (Network Discovery or TCP/UDP Port scan), time, IP address range scanned, IP address, username, DNS name, netbios hostname, netbios username, MAC address, TCP/UDP port number, or other criteria. The results may be presented as a list of completed scan times and dates which may be hyper-text linked to actual scan results. Scan results may display the time the scan was executed, the network user who initiated the scan, type of scan, and the time required for the scan to complete. [0037]
  • The computer system network user may create a policy revision to reflect a change in policy as shown in FIG. 3. The network user may formulate a new policy amendment, [0038] step 302. Upon completion, the network user may send, for example, an e-mail notification to the policy's intended recipients, step 304. If an e-mail notification is not sent, the policy may be stored in a modifiable form, step 306. If an e-mail notification is to be sent, the network user may select one or more intended recipients, step 308. A list of recipient's e-mail addresses may be stored within the computer system database. The computer system may create a Simple Mail Transfer Protocol (SMTP) based e-mail message. The SMTP e-mail message may be sent to every selected recipient, step 310. Contained in the e-mail message may be a URL that retrieves the newly created policy amendment from the computer system. The completed policy revision may be stored within the database. The network user may be unable to modify any policy amendment that has been sent via e-mail. If the network user does not send an e-mail message, the policy may be stored within the database for subsequent modification or deletion.
  • An e-mail recipient may receive an e-mail message from the computer system containing a URL for the computer system, [0039] step 312. The recipient may click on the URL, step 314, and a web browser window may open containing the revised policy, step 316. Upon reading the policy, the recipient may supply their name within a text field, step 318, and select an acknowledge button, step 320. The computer system may then determine the IP address for the computer being used by the recipient, computer DNS, netbios name, current user, MAC address and date, step 322. The results may then be stored in the database, step 324. The computer system may not acknowledge a network user's policy compliance unless the user's name is entered in the provided text field. Once the network user has acknowledged the policy amendment, a confirmation may be returned to the network user, step 326.
  • Every policy that has been sent may have a View Compliance link. The network user may select this link to determine which network users have read and complied with the policy amendment. If the IP address of the complying user's system is within the computer system database, the network user may view the contact information for the system. This allows the network user to quickly determine a network user's level of policy compliance. [0040]
  • FIG. 7 illustrates an overall method of determining whether a networked system complies with a network security policy according to one embodiment of the invention. A system for determining whether the system is in compliance may be identified, [0041] step 12. The system may then be scanned, step 14. The system may be scanned for current network and/or system information such as, for example, netbios hostname, operating system, netbios username, IP address, etc. The current network and/or system information may be compared to network and/or system information stored for the system, step 16. Based on the comparison of current information and stored information, a determination may be made regarding whether the system complies with the network security policy, step 18.
  • FIG. 8 illustrates a [0042] system 20 for determining whether a networked system complies with a network security policy according to one embodiment of the invention. The system 20 may include a system identifying module 22 that identifies one or more systems to determine whether the one or more systems comply with a network security policy. A system scanning module 24 may be used to scan the systems identified by system identifying module 22 for current network and/or system information such as, for example, netbios hostname, operating system, netbios username, IP address, etc. The current network and/or system information may be compared to network and/or system information stored for the system using, for example, policy value comparing module 26. Based on the comparison of current information and stored information, a determination may be made regarding whether the system complies with the network security policy using, for example, policy compliance determining module 28.
  • FIG. 4 illustrates a [0043] system 400 for scanning networked systems using a network discovery scan according one embodiment of the invention. The system 400 may include an input receiving module 402. The input receiving module 402 may enable a network user to input network environment variables (e.g., HTML PUT, GET, and command line) as arguments. An input validity determining module 404 may determine whether the network user input is valid. If a determination is made that the network user input is invalid, an error reporting and exiting module 406 may be used to present an error message to the network user indicating that the network user input is invalid and may also exit the computer system. If, however, the network user input is valid, the system 400 may create a link list of information structures for each IP address using linked lists creating module 408. The system 400 may then insert the data based stored policy defined values into each IP addresses appropriate fields using policy value importing module 410.
  • The [0044] system 400 may then use the link list to determine DNS defined hosts names registered to the IP addresses using DNS gethostbyaddr calling module 412.
  • An internet control message protocol (ICMP) echo requests may be transmitted to each IP address in the linked list using ICMP echo [0045] request transmitting module 414. A TCP ping transmitting module 416 may be used to transmit a TCP ping to the networked systems. A TCP ping may be used in the event that a networked systems ability to respond to an ICMP echo request has been disabled. A TCP synchronization request may then be transmitted using TCP synchronization requesting module 418. After sending the TCP synchronization request, a connection determining module 420 may be used to determine whether a connection to the network system has been made. If a connection has been made, the UNIX_flag member for the computer system may be set using UNIX_flag member setting module 422.
  • The [0046] system 400 may then transmit a netbios name request using net bio theme transmitting module 424. Netbios name response turning module 426 may then be used to determine whether a response has been transmitted for the netbios name request. If a netbios name response has been transmitted, the netbios host name may be extracted using netbios host name extracting module 428. A user name and MAC address for the netbios response transmitting system may be determined using user name and MAC address determining module 430. The netbios_flag for the responding system may then be set using netbios_flag setting module 432.
  • The [0047] system 400 may then determine the operating system for the responding system using operating systems determining module 434. The system 400 may base a determination on whether a responding system is running and authentication service. If the system is running an authentication service, the responding system may be considered to be a UNIX based system. If the system is not running an authentication service, the system may be considered to be a Microsoft based system if a netbios named service protocol is running.
  • After a scan is completed, the result of the scan may be imported to a database using results importing module [0048] 436. Based on the results, up known hosts may be displayed using up known host displaying module 438. Stowaways may be displayed using stowaway displaying module 440. Down known hosts may be displayed using down hosts displaying module 442.
  • FIG. 5 illustrates a [0049] system 500 for TCP/UDP port scanning according to one embodiment of the invention. System 500 may include an input receiving module 502 that enables a user to provide input. Input validity determining module 504 may be used to determine whether the input is valid. If a determination is made that the input is invalid, an error report may be generated and the system exited using error reporting and exiting module 506. If the input is valid, however, a linked list of IP addresses may be created using linked lists creating module 508. Policy values for which each of the systems corresponding to the IP addresses must be adhered to may be imported using policy value importing module 510. An ICMP request may then be transmitted to each system corresponding to the IP addresses in the linked list using ICMP request transmitting module 512. An ICMP request response determining module 514 can then be used to determine whether any of the systems have responded to the ICMP request. Any TCP ping transmitting module 516 may be used to transmit a TCP ping to one or more of the systems corresponding to the IP addresses in the linked lists. A TCP ping response determining module 518 may be used to determine whether a response has been received for one or more of the TCP pings transmitted.
  • If a system responds to either the ICMP request for TCP ping, the systems to be scanned may be set using systems to be scanned setting [0050] module 520. TCP scanning may then commence using TCP scanning module 522. Upon completing the TCP scanning, the system 500 may return to the linked list using link list returning module 524. A UDP packet may then be transmitted to each port of a scanned system using UDP packet transmitting module 526. A determination may be made regarding whether one or more of the scanned systems have responded to the UDP packet using UDP packet response determining module 528. Based on a determination made by UDP packet response determining module UDP scanning may be commenced for those systems that transmitted a response using UDP scanning module 530. Upon completion of the UDP scanning, the scan results may be imported using scan results importing module 532. The scanning results may then be output and presented to a network user using scanned results outputting module 534.
  • FIG. 6 illustrates a [0051] system 600 for notifying a network user of a policy amendment according to one embodiment of the invention. The system 600 may include a policy amendment creating module 602 that enables a network user to create an amendment to a network security policy. After creating the policy amendment, the network user may request that an electronic mail message be created to define other network users of the policy amendment. In the e-mail message request may be made using e-mail message requesting module 604. If a user does not request an e-mail message to be created, the policy including the policy amendment may be stored using policy storing module 606. If, however, the network user requests that an e-mail message be created, the network user may select one or more recipients to whom the e-mail message should be sent using recipient selecting module 608. The e-mail message may then be sent to the recipients using message sending module 610. The recipients may then receive the message using message receiving module 612. The e-mail message may include a uniform resource locator (URL) that may be a hypertext link that may present the policy amendment to the network user. The network user may select the URL using URL selecting module 614. If the network user selects the URL, the policy amendment may be presented to the user using policy presenting module 616. The policy may be presented in a window of a browser.
  • [0052] Policy presenting module 616 may present a network user with fields in which the network user may provide a user name. The user name input by the network user may be received using user name receiving module 618. An acknowledge button may also be presented to the user using policy presenting module 616. Such that after the network user reads the policy, the network user may select the acknowledge button using acknowledge button selecting module 620 to acknowledge that the network user has read the policy. System 600 may then identify a type of system that is in use by network user using system identifying module 622. The information may include, for example, operating system, network connection, etc. This information may be stored in a database using information storing module 624. A policy confirmation may then be transmitted to the network user using policy confirmation transmitting module 626.

Claims (24)

What is claimed is:
1. A method of determining whether a networked system complies with a network security policy, the method comprising the steps of:
identifying at least one system to scan;
scanning the at least one system for current information pertaining to the at least one system;
comparing the current information obtained from the step of scanning against stored information for a network security policy pertaining to the at least one system; and
determining whether the at least one system complies with a network security policy based on the step of comparing.
2. The method of claim 1, further comprising the step of:
create a list of the at least one system to scan, wherein the list identifies the at least one system using a system identifier.
3. The method of claim 2, wherein the system identifier is an Internet Protocol (IP) address.
4. The method of claim 1, further comprising the step of:
associating at least one stored network security policy value with the system identifier.
5. The method of claim 1, further comprising the step of:
determining whether the at least one system is active.
6. The method of claim 5, further comprises the step of:
transmitting a Transmission Control Protocol (TCP) ping request.
7. The method of claim 5, further comprises the step of:
transmitting an Internet Control Message Protocol (ICMP) echo request.
8. The method of claim 1, further comprising the step of:
setting an operating system identifying flag.
9. The method of claim 8, further comprising the step of:
determining an operating system for the at least one system;
10. The method of claim 1, further comprising the step of:
importing the current information to a database.
11. The method of claim 1, wherein the current information comprises at least one of a DNS hostname, netbios hostname, netbios username, operating system, and MAC address.
12. The method of claim 1, wherein the stored information comprises at least one of a DNS hostname, netbios hostname, netbios username, operating system, and MAC address.
13. A system for determining whether a networked system complies with a network security policy, the system comprising:
an identifying module that identifies at least one system to scan;
a scanning module that scans the at least one system for current information pertaining to the at least one system;
a comparing module that compares the current information obtained from the step of scanning against stored information for a network security policy pertaining to the at least one system; and
a compliance determining module that determines whether the at least one system complies with a network security policy based on the step of comparing.
14. The system of claim 13, further comprising a list creating module that creates a list of the at least one system to scan, wherein the list identifies the at least one system using a system identifier.
15. The system of claim 14, wherein the system identifier is an Internet Protocol (IP) address.
16. The system of claim 13, further comprising an associating module that associates at least one stored network security policy value with the system identifier.
17. The system of claim 13, further comprising an active system determining module that determines whether the at least one system is active.
18. The system of claim 17, further comprising a ping transmitting module that transmits a Transmission Control Protocol (TCP) ping request.
19. The system of claim 17, further comprising an ICMP transmitting module that transmits an Internet Control Message Protocol (ICMP) echo request.
20. The system of claim 13, further comprising a setting module that sets an operating system identifying flag.
21. The system of claim 20, further comprising an operating system determining module that determines an operating system for the at least one system.
22. The system of claim 13, further comprising an importing module that imports the current information to a database.
23. The system of claim 13, wherein the current information comprises at least one of a DNS hostname, netbios hostname, netbios username, operating system, and MAC address.
24. The system of claim 13, wherein the stored information comprises at least one of a DNS hostname, netbios hostname, netbios username, operating system, and MAC address.
US10/159,316 2001-05-30 2002-05-29 System and method for providing network security policy enforcement Abandoned US20020184533A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US10/159,316 US20020184533A1 (en) 2001-05-30 2002-05-29 System and method for providing network security policy enforcement

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US29431201P 2001-05-30 2001-05-30
US10/159,316 US20020184533A1 (en) 2001-05-30 2002-05-29 System and method for providing network security policy enforcement

Publications (1)

Publication Number Publication Date
US20020184533A1 true US20020184533A1 (en) 2002-12-05

Family

ID=23132858

Family Applications (1)

Application Number Title Priority Date Filing Date
US10/159,316 Abandoned US20020184533A1 (en) 2001-05-30 2002-05-29 System and method for providing network security policy enforcement

Country Status (2)

Country Link
US (1) US20020184533A1 (en)
WO (1) WO2002097629A1 (en)

Cited By (37)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030112823A1 (en) * 2001-12-17 2003-06-19 Microsoft Corporation Methods and systems for establishing communications through firewalls and network address translators
US20030217039A1 (en) * 2002-01-15 2003-11-20 Kurtz George R. System and method for network vulnerability detection and reporting
US20040078384A1 (en) * 2002-01-15 2004-04-22 Keir Robin M. System and method for network vulnerability detection and reporting
US20040139050A1 (en) * 2002-12-31 2004-07-15 American Express Travel Related Services Company, Inc. Method and system for implementing and managing an enterprise identity management for distributed security in a computer system
US20050066021A1 (en) * 2003-09-22 2005-03-24 Megley Sean M. Rule compliance
US20050135370A1 (en) * 2003-12-05 2005-06-23 Kim Woo-Chang Network printer and method of setting internet protocol address thereof
US7003561B1 (en) * 2001-06-29 2006-02-21 Mcafee, Inc. System, method and computer program product for improved efficiency in network assessment utilizing a port status pre-qualification procedure
GB2425371A (en) * 2005-04-21 2006-10-25 Sendo Int Ltd Electronic device having an extensible application program
US20070156706A1 (en) * 2005-12-27 2007-07-05 Christian Hayes Apparatus, system, and method for monitoring the usage of computers and groups of computers
US20070192823A1 (en) * 2006-02-09 2007-08-16 Novell, Inc. Policy administration and provisioning
US20070266369A1 (en) * 2006-05-11 2007-11-15 Jiebo Guan Methods, systems and computer program products for retrieval of management information related to a computer network using an object-oriented model
US20070266139A1 (en) * 2006-05-11 2007-11-15 Jiebo Guan Methods, systems and computer program products for invariant representation of computer network information technology (it) managed resources
US20080059123A1 (en) * 2006-08-29 2008-03-06 Microsoft Corporation Management of host compliance evaluation
US20080060071A1 (en) * 2006-09-01 2008-03-06 Robert John Hennan Security Monitoring Tool for Computer Network
US7536456B2 (en) 2003-02-14 2009-05-19 Preventsys, Inc. System and method for applying a machine-processable policy rule to information gathered about a network
US7548544B2 (en) 2005-05-05 2009-06-16 Ironport Systems, Inc. Method of determining network addresses of senders of electronic mail messages
US7627891B2 (en) * 2003-02-14 2009-12-01 Preventsys, Inc. Network audit and policy assurance system
US7634809B1 (en) * 2005-03-11 2009-12-15 Symantec Corporation Detecting unsanctioned network servers
US7756930B2 (en) 2004-05-28 2010-07-13 Ironport Systems, Inc. Techniques for determining the reputation of a message sender
US20100191577A1 (en) * 2009-01-29 2010-07-29 Shi Lu Methods and apparatus to collect broadband market data
US20100191723A1 (en) * 2009-01-29 2010-07-29 Albert Perez Methods and apparatus to measure market statistics
US7779468B1 (en) * 2001-11-30 2010-08-17 Mcafee, Inc. Intrusion detection and vulnerability assessment system, method and computer program product
US7849142B2 (en) 2004-05-29 2010-12-07 Ironport Systems, Inc. Managing connections, messages, and directory harvest attacks at a server
US7870200B2 (en) 2004-05-29 2011-01-11 Ironport Systems, Inc. Monitoring the flow of messages received at a server
US7873695B2 (en) * 2004-05-29 2011-01-18 Ironport Systems, Inc. Managing connections and messages at a server by associating different actions for both different senders and different recipients
US20110055381A1 (en) * 2009-09-03 2011-03-03 Mcafee, Inc. Host information collection
US7945656B1 (en) * 2004-10-18 2011-05-17 Cisco Technology, Inc. Method for determining round trip times for devices with ICMP echo disable
US20110184988A1 (en) * 2002-12-31 2011-07-28 American Express Travel Related Services Company, Method and system for implementing and managing an enterprise identity management for distributed security in a computer system
US8135823B2 (en) 2002-01-15 2012-03-13 Mcafee, Inc. System and method for network vulnerability detection and reporting
US8135830B2 (en) 2002-01-15 2012-03-13 Mcafee, Inc. System and method for network vulnerability detection and reporting
US8201257B1 (en) 2004-03-31 2012-06-12 Mcafee, Inc. System and method of managing network security risks
US20150067342A1 (en) * 2013-09-03 2015-03-05 Red Hat, Inc. Systems and methods for executing compliance verification or remediation scripts
US20150082437A1 (en) * 2013-09-13 2015-03-19 Prelert Ltd. Method and apparatus for detecting irregularities on a device
US8997091B1 (en) 2007-01-31 2015-03-31 Emc Corporation Techniques for compliance testing
US20150113421A1 (en) * 2002-12-13 2015-04-23 Mcafee, Inc. System, method, and computer program product for managing a plurality of applications via a single interface
US10165000B1 (en) * 2004-04-01 2018-12-25 Fireeye, Inc. Systems and methods for malware attack prevention by intercepting flows of information
CN109905347A (en) * 2017-12-07 2019-06-18 中移(苏州)软件技术有限公司 Security baseline configuration method, device, equipment, cloud host, medium and system

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4155073A (en) * 1977-08-26 1979-05-15 A-T-O Inc. System for monitoring integrity of communication lines in security systems having remote terminals
US5557742A (en) * 1994-03-07 1996-09-17 Haystack Labs, Inc. Method and system for detecting intrusion into and misuse of a data processing system
US5710885A (en) * 1995-11-28 1998-01-20 Ncr Corporation Network management system with improved node discovery and monitoring
US6061334A (en) * 1996-07-30 2000-05-09 Lucent Technologies Networks Ltd Apparatus and method for assigning virtual LANs to a switched network
US6154844A (en) * 1996-11-08 2000-11-28 Finjan Software, Ltd. System and method for attaching a downloadable security profile to a downloadable
US6215774B1 (en) * 1997-03-25 2001-04-10 Intel Corporation System for dynamically determining effective speed of a communication link
US6301668B1 (en) * 1998-12-29 2001-10-09 Cisco Technology, Inc. Method and system for adaptive network security using network vulnerability assessment
US6405318B1 (en) * 1999-03-12 2002-06-11 Psionic Software, Inc. Intrusion detection system
US6448928B1 (en) * 1999-03-27 2002-09-10 International Business Machines Corporation GPS for workstations

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4155073A (en) * 1977-08-26 1979-05-15 A-T-O Inc. System for monitoring integrity of communication lines in security systems having remote terminals
US5557742A (en) * 1994-03-07 1996-09-17 Haystack Labs, Inc. Method and system for detecting intrusion into and misuse of a data processing system
US5710885A (en) * 1995-11-28 1998-01-20 Ncr Corporation Network management system with improved node discovery and monitoring
US6061334A (en) * 1996-07-30 2000-05-09 Lucent Technologies Networks Ltd Apparatus and method for assigning virtual LANs to a switched network
US6154844A (en) * 1996-11-08 2000-11-28 Finjan Software, Ltd. System and method for attaching a downloadable security profile to a downloadable
US6215774B1 (en) * 1997-03-25 2001-04-10 Intel Corporation System for dynamically determining effective speed of a communication link
US6301668B1 (en) * 1998-12-29 2001-10-09 Cisco Technology, Inc. Method and system for adaptive network security using network vulnerability assessment
US6405318B1 (en) * 1999-03-12 2002-06-11 Psionic Software, Inc. Intrusion detection system
US6448928B1 (en) * 1999-03-27 2002-09-10 International Business Machines Corporation GPS for workstations

Cited By (91)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7003561B1 (en) * 2001-06-29 2006-02-21 Mcafee, Inc. System, method and computer program product for improved efficiency in network assessment utilizing a port status pre-qualification procedure
US7779468B1 (en) * 2001-11-30 2010-08-17 Mcafee, Inc. Intrusion detection and vulnerability assessment system, method and computer program product
US20030112823A1 (en) * 2001-12-17 2003-06-19 Microsoft Corporation Methods and systems for establishing communications through firewalls and network address translators
US20070195807A1 (en) * 2001-12-17 2007-08-23 Microsoft Corporation Methods and Systems for Establishing Communications Through Firewalls and Network Address Translators
US7227864B2 (en) * 2001-12-17 2007-06-05 Microsoft Corporation Methods and systems for establishing communications through firewalls and network address translators
US7673043B2 (en) * 2002-01-15 2010-03-02 Mcafee, Inc. System and method for network vulnerability detection and reporting
US8615582B2 (en) 2002-01-15 2013-12-24 Mcafee, Inc. System and method for network vulnerability detection and reporting
US8135830B2 (en) 2002-01-15 2012-03-13 Mcafee, Inc. System and method for network vulnerability detection and reporting
US8661126B2 (en) * 2002-01-15 2014-02-25 Mcafee, Inc. System and method for network vulnerability detection and reporting
US7664845B2 (en) 2002-01-15 2010-02-16 Mcafee, Inc. System and method for network vulnerability detection and reporting
US8135823B2 (en) 2002-01-15 2012-03-13 Mcafee, Inc. System and method for network vulnerability detection and reporting
US8700767B2 (en) 2002-01-15 2014-04-15 Mcafee, Inc. System and method for network vulnerability detection and reporting
US20120144494A1 (en) * 2002-01-15 2012-06-07 Mcafee, Inc., A Delaware Corporation System and method for network vulnerability detection and reporting
US20030217039A1 (en) * 2002-01-15 2003-11-20 Kurtz George R. System and method for network vulnerability detection and reporting
US7243148B2 (en) * 2002-01-15 2007-07-10 Mcafee, Inc. System and method for network vulnerability detection and reporting
US8621060B2 (en) 2002-01-15 2013-12-31 Mcafee, Inc. System and method for network vulnerability detection and reporting
US20040078384A1 (en) * 2002-01-15 2004-04-22 Keir Robin M. System and method for network vulnerability detection and reporting
US20150113421A1 (en) * 2002-12-13 2015-04-23 Mcafee, Inc. System, method, and computer program product for managing a plurality of applications via a single interface
US9791998B2 (en) * 2002-12-13 2017-10-17 Mcafee, Inc. System, method, and computer program product for managing a plurality of applications via a single interface
US20110184860A1 (en) * 2002-12-31 2011-07-28 American Express Travel Related Services Company, Inc. Method and system for implementing and managing an enterprise identity management for distributed security in a computer system
US20110184988A1 (en) * 2002-12-31 2011-07-28 American Express Travel Related Services Company, Method and system for implementing and managing an enterprise identity management for distributed security in a computer system
US20110184985A1 (en) * 2002-12-31 2011-07-28 American Express Travel Related Services Company, Inc. Method and system for implementing and managing an enterprise identity management for distributed security in a computer system
US20110184986A1 (en) * 2002-12-31 2011-07-28 American Express Travel Related Service Company, Inc. Method and system for implementing and managing an enterprise identity management for distributed security in a computer system
US20110202565A1 (en) * 2002-12-31 2011-08-18 American Express Travel Related Services Company, Inc. Method and system for implementing and managing an enterprise identity management for distributed security in a computer system
US20110184987A1 (en) * 2002-12-31 2011-07-28 American Express Travel Related Services Company, Inc. Method and system for implementing and managing an enterprise identity management for distributed security in a computer system
US8010562B2 (en) 2002-12-31 2011-08-30 American Express Travel Related Services Company, Inc. Method and system for implementing and managing an enterprise identity management for distributed security in a computer system
US7660795B2 (en) 2002-12-31 2010-02-09 American Express Travel Related Services Company, Inc. Method and system for implementing and managing an enterprise identity management for distributed security in a computer system
US7143095B2 (en) 2002-12-31 2006-11-28 American Express Travel Related Services Company, Inc. Method and system for implementing and managing an enterprise identity management for distributed security
US20100257205A1 (en) * 2002-12-31 2010-10-07 American Express Travel Related Services Company, Inc. Method and System for Implementing and Managing an Enterprise Identity Management for Distributed Security
US8015205B2 (en) * 2002-12-31 2011-09-06 American Express Travel Related Services Company, Inc. Method and system for implementing and managing an enterprise identity management for distributed security
US7765232B2 (en) 2002-12-31 2010-07-27 American Express Travel Related Services Company, Inc. Method and system for implementing and managing an enterprise identity management for distributed security
US20110184845A1 (en) * 2002-12-31 2011-07-28 American Express Travel Related Services Company, Inc. Method and system for implementing and managing an enterprise identity management for distributed security in a computer system
US20110184861A1 (en) * 2002-12-31 2011-07-28 American Express Travel Related Services Company, Inc. Method and system for implementing and managing an enterprise identity management for distributed security in a computer system
US20040139081A1 (en) * 2002-12-31 2004-07-15 Barrett Michael Richard Method and system for implementing and managing an enterprise identity management for distributed security
US20040139050A1 (en) * 2002-12-31 2004-07-15 American Express Travel Related Services Company, Inc. Method and system for implementing and managing an enterprise identity management for distributed security in a computer system
US7627891B2 (en) * 2003-02-14 2009-12-01 Preventsys, Inc. Network audit and policy assurance system
US8561175B2 (en) 2003-02-14 2013-10-15 Preventsys, Inc. System and method for automated policy audit and remediation management
US9094434B2 (en) 2003-02-14 2015-07-28 Mcafee, Inc. System and method for automated policy audit and remediation management
US8793763B2 (en) 2003-02-14 2014-07-29 Preventsys, Inc. System and method for interfacing with heterogeneous network data gathering tools
US8091117B2 (en) 2003-02-14 2012-01-03 Preventsys, Inc. System and method for interfacing with heterogeneous network data gathering tools
US8789140B2 (en) 2003-02-14 2014-07-22 Preventsys, Inc. System and method for interfacing with heterogeneous network data gathering tools
US7536456B2 (en) 2003-02-14 2009-05-19 Preventsys, Inc. System and method for applying a machine-processable policy rule to information gathered about a network
US20050066021A1 (en) * 2003-09-22 2005-03-24 Megley Sean M. Rule compliance
US20050135370A1 (en) * 2003-12-05 2005-06-23 Kim Woo-Chang Network printer and method of setting internet protocol address thereof
US8201257B1 (en) 2004-03-31 2012-06-12 Mcafee, Inc. System and method of managing network security risks
US10165000B1 (en) * 2004-04-01 2018-12-25 Fireeye, Inc. Systems and methods for malware attack prevention by intercepting flows of information
US7756930B2 (en) 2004-05-28 2010-07-13 Ironport Systems, Inc. Techniques for determining the reputation of a message sender
US7849142B2 (en) 2004-05-29 2010-12-07 Ironport Systems, Inc. Managing connections, messages, and directory harvest attacks at a server
US7873695B2 (en) * 2004-05-29 2011-01-18 Ironport Systems, Inc. Managing connections and messages at a server by associating different actions for both different senders and different recipients
US7870200B2 (en) 2004-05-29 2011-01-11 Ironport Systems, Inc. Monitoring the flow of messages received at a server
US7945656B1 (en) * 2004-10-18 2011-05-17 Cisco Technology, Inc. Method for determining round trip times for devices with ICMP echo disable
US7634809B1 (en) * 2005-03-11 2009-12-15 Symantec Corporation Detecting unsanctioned network servers
GB2425371A (en) * 2005-04-21 2006-10-25 Sendo Int Ltd Electronic device having an extensible application program
GB2425371B (en) * 2005-04-21 2007-06-20 Sendo Int Ltd Electronic device having an extensible application programme
US7548544B2 (en) 2005-05-05 2009-06-16 Ironport Systems, Inc. Method of determining network addresses of senders of electronic mail messages
US20070156706A1 (en) * 2005-12-27 2007-07-05 Christian Hayes Apparatus, system, and method for monitoring the usage of computers and groups of computers
WO2007076515A2 (en) * 2005-12-27 2007-07-05 Christian Hayes Apparatus, system, and method for monitoring the usage of computers and groups of computers
WO2007076515A3 (en) * 2005-12-27 2008-05-08 Christian Hayes Apparatus, system, and method for monitoring the usage of computers and groups of computers
US20070192823A1 (en) * 2006-02-09 2007-08-16 Novell, Inc. Policy administration and provisioning
US20070266369A1 (en) * 2006-05-11 2007-11-15 Jiebo Guan Methods, systems and computer program products for retrieval of management information related to a computer network using an object-oriented model
US20070266139A1 (en) * 2006-05-11 2007-11-15 Jiebo Guan Methods, systems and computer program products for invariant representation of computer network information technology (it) managed resources
US8166143B2 (en) * 2006-05-11 2012-04-24 Netiq Corporation Methods, systems and computer program products for invariant representation of computer network information technology (IT) managed resources
US20080059123A1 (en) * 2006-08-29 2008-03-06 Microsoft Corporation Management of host compliance evaluation
US20080060071A1 (en) * 2006-09-01 2008-03-06 Robert John Hennan Security Monitoring Tool for Computer Network
US7904456B2 (en) * 2006-09-01 2011-03-08 Robert John Hennan Security monitoring tool for computer network
US8997091B1 (en) 2007-01-31 2015-03-31 Emc Corporation Techniques for compliance testing
US8280996B2 (en) 2009-01-29 2012-10-02 The Nielsen Company (Us), Llc Methods and apparatus to collect broadband market data
US10484277B2 (en) 2009-01-29 2019-11-19 The Nielsen Company (Us), Llc Methods and apparatus to measure market statistics
US9189796B2 (en) 2009-01-29 2015-11-17 The Nielsen Company (Us), Llc Methods and apparatus to collect broadband market data
WO2010088369A3 (en) * 2009-01-29 2010-09-23 The Nielsen Company (Us), Llc Methods and apparatus to collect broadband market data
US20100191723A1 (en) * 2009-01-29 2010-07-29 Albert Perez Methods and apparatus to measure market statistics
US20100191577A1 (en) * 2009-01-29 2010-07-29 Shi Lu Methods and apparatus to collect broadband market data
US9129293B2 (en) 2009-01-29 2015-09-08 The Nielsen Company (Us), Llc Methods and apparatus to measure market statistics
GB2480029A (en) * 2009-01-29 2011-11-02 Nielsen Co Methods and apparatus to collect broadband market data
US9391858B2 (en) 2009-09-03 2016-07-12 Mcafee, Inc. Host information collection
US20110055381A1 (en) * 2009-09-03 2011-03-03 Mcafee, Inc. Host information collection
US8583792B2 (en) 2009-09-03 2013-11-12 Mcafee, Inc. Probe election in failover configuration
US8924721B2 (en) 2009-09-03 2014-12-30 Mcafee, Inc. Nonce generation
US9049118B2 (en) 2009-09-03 2015-06-02 Mcafee, Inc. Probe election in failover configuration
US20110055907A1 (en) * 2009-09-03 2011-03-03 Mcafee, Inc. Host state monitoring
US8881234B2 (en) 2009-09-03 2014-11-04 Mcafee, Inc. Host state monitoring
US8671181B2 (en) * 2009-09-03 2014-03-11 Mcafee, Inc. Host entry synchronization
US20110055382A1 (en) * 2009-09-03 2011-03-03 Mcafee, Inc. Host entry synchronization
US20110055580A1 (en) * 2009-09-03 2011-03-03 Mcafee, Inc. Nonce generation
US9288058B2 (en) * 2013-09-03 2016-03-15 Red Hat, Inc. Executing compliance verification or remediation scripts
US20150067342A1 (en) * 2013-09-03 2015-03-05 Red Hat, Inc. Systems and methods for executing compliance verification or remediation scripts
US9767278B2 (en) * 2013-09-13 2017-09-19 Elasticsearch B.V. Method and apparatus for detecting irregularities on a device
US20150082437A1 (en) * 2013-09-13 2015-03-19 Prelert Ltd. Method and apparatus for detecting irregularities on a device
US10558799B2 (en) 2013-09-13 2020-02-11 Elasticsearch B.V. Detecting irregularities on a device
US11068588B2 (en) 2013-09-13 2021-07-20 Elasticsearch B.V. Detecting irregularities on a device
CN109905347A (en) * 2017-12-07 2019-06-18 中移(苏州)软件技术有限公司 Security baseline configuration method, device, equipment, cloud host, medium and system

Also Published As

Publication number Publication date
WO2002097629A1 (en) 2002-12-05

Similar Documents

Publication Publication Date Title
US20020184533A1 (en) System and method for providing network security policy enforcement
US8407482B2 (en) User session dependent URL masking
US6981143B2 (en) System and method for providing connection orientation based access authentication
US8478872B2 (en) Delegated network management system and method of using the same
US9374353B2 (en) Enabling dynamic authentication with different protocols on the same port for a switch
US7693947B2 (en) Systems and methods for graphically displaying messaging traffic
US7428590B2 (en) Systems and methods for reflecting messages associated with a target protocol within a network
US8200818B2 (en) System providing internet access management with router-based policy enforcement
US7818565B2 (en) Systems and methods for implementing protocol enforcement rules
US7707401B2 (en) Systems and methods for a protocol gateway
US20030069848A1 (en) A User interface for computer network management
US20080196099A1 (en) Systems and methods for detecting and blocking malicious content in instant messages
JP2002544607A (en) How to manage multiple network security devices from a manager device
US20070180101A1 (en) System and method for storing data-network activity information
CA2488731A1 (en) Systems and methods for a protocol gateway
US8082583B1 (en) Delegation of content filtering services between a gateway and trusted clients in a computer network
Terplan Intranet performance management
JPH11308272A (en) Packet communication control system and packet communication controller
US20210112060A1 (en) Method and Apparatus to Control and Monitor Access to Web Domains using Networked Devices
Cisco Cisco Intrusion Detection System Signature Engines Version 3.1
Cisco NATkit Overview
Cisco Why You Need a Firewall
Cisco Why You Need a Firewall
WO2008086224A2 (en) Systems and methods for detecting and blocking malicious content in instant messages
Simons The challenges of network security remediation at a regional university

Legal Events

Date Code Title Description
STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION